
local IP adcfress; and 

modifying said soiirc§IP address of said datagram to be said external IP address of said gateway, 
y binding said destination pon^d^ess to said local IP address of said local device and creating an 
association between said destination po^ad^ress^nd the external IP address of said external device, 
and passing said datagram to said external network fc^routing and delivery to said external device 
if said destination port address is not bound to said local IP adHress of said local device. 



REMARKS 



The abstract has been amended to add drawing reference numbers. 

Claim 1 has been rewritten to eliminate from claim lsome claim elements that have now 
been rewritten as claims depending from claim 1. As such, the original content of claim 1 is now 
found in claims 1-4. Original dependent claims 2, 3 and 4 have been rewritten without 
modification as claims 5, 6 and 7. Original independent claim 5 has been rewritten as independent 
claim 8, and has eliminated some claim elements that have now been rewritten as dependent claim 
9. Original independent claim 6 has been rewritten as independent claim 10, and some claim 
elements have been eliminated and rewritten as dependent claim 1 1 . Original dependent claim 7 has 
been rewritten without modification as dependent claim 12, and original dependent claims 8-12 
have been rewritten without modification as new dependent claims 13-17. New independent claim 
18 has been added. 

No new matter has been added to the application. 

Because the total number of original and added claims is less than 20, applicant believes that 
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MARKED-UP AMENDED CLAIMS 

1. A network address translating gateway connecting a LAN to an external 
network, said LAN using local IP addresses, said gateway having a local IP address that 
can be seen by devices on said LAN and having an external IP address that can be seen 
by devices on said external network, said gateway comprising 

a plurality of internal tables associating combinations of local IP addresses of local 
devices on said LAN, external IP addresses of external devices on said external network, 
SPI - In values, SPI - Out values, source port addresses, destination port addresses, 
reserved port addresses, and maintaining a list of reserved port addresses, 

means for performing normal address translation upon datagrams passing from said 
LAN to said external network and datagrams passing from said external network to said 
LAN, 

means for delivering a datagram from a local device on said LAN to an external 
device on said external network by receiving a datagram from a local device on said LAN 
intended for delivery to an external device on said external network, and [determining 
whether said datagram is encrypted and, if said datagram is encrypted, for determining 
whether the SPI of said datagram is recorded in the SPI - Out field in said internal table 
and, if said SPI is recorded in said SPI - Outfield, modifying the source IP address of said 
datagram to be said external IP address of said gateway and passing said datagram to 
said external network for routing and delivery to said external device, 

and if said SPI is not recorded in said SPI - Out field of said internal table, setting 
the SPI - In field corresponding to the local IP address of said local device equal to zero 
and setting said SPI - Outfield equal to said SPI, modifying said source IP address of said 



datagram to be said external IP address of said gateway and passing said datagram to 
said external network for routing and delivery to said external device, 

and if said datagram is not encrypted,] determining whether the destination port 
address for said datagram is included in said list of reserved port addresses and, if said 
destination port address is not included in said list of reserved port addresses, performing 
normal address translation upon said datagram and passing said datagram to said external 
network for routing and delivery to said external device, 

and if said destination port address is included in said list of reserved port 
addresses, determining whether said destination port address is bound to said local IP 
address of said local device, and if said destination port address is bound to said local IP 
address, performing normal address translation upon said datagram and passing said 
datagram to said external network for routing and delivery to said external device, 

and if said destination port address is not bound to said local IP address of said 
local device, modifying said source IP address of said datagram to be said external IP 
address of said gateway, binding said destination port address to said local IP address of 
said local device and creating an association between said destination port address and 
the external IP address of said external device, and passing said datagram to said external 
network for routing and delivery to said external device[, 

means for delivering a datagram from said external device to said local device by 
receiving a datagram from said external device on said external network intended for 
delivery to said local device on said LAN, 

determining whether said datagram is encrypted and, if said datagram is encrypted, 
determining whether the datagram's SPI is recorded in said SPI - In field of said internal 



table and, if said SPI is recorded in said SPI - In field, modifying the destination IP address 
of said datagram to be said local IP address of said local device and passing said 
datagram to said LAN for routing and delivery to said local device, 

and if said SPI is not recorded in said SPI - In field of said internal table, determining 
whether said SPI - In field corresponding to said IP address of said external device is equal 
to zero and, if said SPI - In field is not equal to zero, discarding said datagram, 

and if said SPI - In field is equal to zero, setting said SPI - In field equal to said SPI, 
modifying the destination IP address of said datagram to be said local IP address of said 
local device and passing said datagram to said LAN for delivery to said local device, 

and if said datagram is not encrypted, determining whether the destination port 
address for said datagram is included in said list of reserved port addresses and, if said 
destination port address is not included in said list of reserved port addresses, performing 
normal address translation upon said datagram and passing said datagram to said LAN 
for delivery to said local device, 

and if said destination port address is included in said list of reserved port 
addresses, determining whether said destination port address is bound to the local IP 
address of said local device, if said destination port address is not bound to said local IP 
address, discarding said datagram, 

and if said destination port address is bound to said local IP address, modifying said 
destination IP address of said datagram to be said local IP address of said local device, 
unbinding said destination port address from said local IP address, and passing said 
datagram to said LAN for delivery to said local device]. 

2. (Amended) [The network address translating gateway of claim 1 , further 



comprising a timer, wherein, upon receiving a signal that a port address has become 
bound to an IP address, said timer will commence timing for a predetermined length of time 
and, upon the expiration of said predetermined length of time, will send a signal causing 
said port address to become unbound from said IP address, and, upon receiving a signal 
indicating that said port address has become unbound from said IP address prior to the 
expiration of said predetermined length of time, said timer will stop timing and will reset ] 
The network address translating gateway of claim 1 . wherein the means for delivering a 
datagram from a local device on said LAN to an external device further comprises a means 
for determining whether said datagram is encrypted and, if said datagram is encrypted, for 
determining whether the SPI of said datagram is recorded in the SPI - Out field in said 
internal table and, if said SPI is recorded in said SPI - Out field, modifying the source IP 
address of said datagram to be said external IP address of said gateway and passing said 
datagram to said external network for routing and delivery to said external device . 

3. (Amended) [The network address translating gateway of claim 1 in which 
said external network is the internet] The network address translating gateway of claim 
2, further comprising if said SPI is not recorded in said SPI - Out field of said internal table, 
means for setting the SPI - In field corresponding to the local IP address of said local 
device eoual to zero and setting said SPI - Out field egual to said SPI. modifying said 
source IP address of said datagram to be said external IP address of said gateway and 
passing said datagram to said external network for routing and delivery to said external 
device . 

4. (Amended) [The network address translating gateway of claim 3 in which 
said LAN is a virtual private network] The network address translating gateway of claim 



1 . wherein the network address translating gateway further comprises means for delivering 
a datagram from said external device to said local device by receiving a datagram from 
said external device on said external network intended for delivery to said local device on 
said LAN, means for determining whether said datagram is encrypted and, if said datagram 
is encrypted, determining whether said datagram's SPI is recorded in said SPI - In field of 
said internal table and, if said SPI is recorded in said SPI - In field, modifying the 
destination I P address of said datagram to be said local IP address of said local device and 
passing said datagram to said LAN for routing and delivery to said local device, and if said 
SPI is not recorded in said SPI - In field of said internal table, determining whether said SPI 
- In field corresponding to said IP address of said external device is equal to zero and, if 
said SPI - In field is not equal to zero, discarding said datagram, and if said SPI - In field 
is equal to zero, setting said SPI - In field equal to said SPI. modifying said destination IP 
address of said datagram to be said local IP address of said local device and passing said 
datagram to said LAN for delivery to said local device, and if said datagram is not 
encrypted, determining whether the destination port address for said datagram is included 
in said list of reserved port addresses and, if said destination port address is not included 
in said list of reserved port addresses, performing normal address translation upon said 
datagram and passing said datagram to said LAN for delivery to said local device, and if 
said destination port address is included in said list of reserved port addresses, 
determining whether said destination port address is bound to the local IP address of said 
local device, if said destination port address is not bound to said local IP address, 
discarding said datagram, and if said destination port address is bound to said local IP 
address, modifying said destination IP address of said datagram to be said local IP 



address of said local device, unbinding said destination port address from said local IP 
address, and passing said datagram to said LAN for delivery to said local device . 

5. (Amended) [A method of processing IP datagrams from a local device on 
a LAN using local IP addresses through a network translating gateway to an external 
device on an external network comprising the steps of 

maintaining a plurality of tables associating local IP addresses of local devices on 
said LAN, external IP addresses of external devices on said external network, port 
addresses of said local devices, port addresses of said external devices, SPI - In values, 
SPI - Out values, and reserved port addresses, and a list of reserved port addresses, 

receiving a datagram from said LAN 

determining whether said datagram is encrypted and, if said datagram is encrypted, 
determining whether the SPI in said datagram is recorded in the SPI - Out field of one of 
said plurality of internal tables and, if said SPI is recorded in said SPI - Out field of said 
internal table, modifying the source IP address to be the external IP address of said 
gateway and passing said datagram to said external network for routing and delivery to 
said external device, 

and if said SPI is not recorded in said SPI - Out field of said internal table, setting 
said SPI - Out field corresponding to the IP address of said external device equal to said 
SPI and setting the SPI - In field of said internal table to zero, modifying said source IP 
address to be said external IP address of said gateway, and passing said datagram to said 
external network for routing and delivery to said external device, 

and if said datagram is not encrypted, determining whether the destination port 
address for said datagram is included in said table of reserved port addresses and, if said 



destination port address is not included in said table of reserved port addresses, 
performing normal address translation upon said datagram and passing said datagram to 
said external network for routing and delivery to said external device, 

and if said destination port address is included in said table of reserved port 
addresses, determining whether said destination port address is bound to an IP address, 
and if said destination port is bound to an IP address, performing normal address 
translation upon said datagram and passing said datagram to said external network for 
routing and delivery to said external device, 

and if said destination port address is not bound to an IP address, modifying said 
source IP address to be said external IP address for said external device, binding said 
destination port address to the local IP address of said local device and creating an 
association between said destination port address and said external IP address of said 
external device, and passing said datagram to said external network for routing and 
delivery to said external device] The network address translating gateway of claim 1. 
further comprising a timer, wherein, upon receiving a signal that a port address has 
become bound to an IP address, said timer will commence timing for a predetermined 
length of time and, upon the expiration of said predetermined length of time, will send a 
signal causing said port address to become unbound from said IP address, and, upon 
receiving a signal indicating that said port address has become unbound from said IP 
address prior to the expiration of said predetermined length of time, said timer will stop 
timing and will reset . 

6. (Amended) [A method of processing IP datagrams from an external device 
on an external network through a network translating gateway to a local device on a LAN 



using local IP addresses, comprising the steps of 

maintaining a plurality of tables associating local IP addresses of local devices on 
said LAN, external IP addresses of external devices on said external network, port 
addresses of said local devices, port addresses of said external devices, SPI - In values, 
SPI - Out values, and reserved port addresses, and a list of reserved port addresses, 

receiving a datagram from said external network 

determining whether said datagram is encrypted and, if said datagram is encrypted, 
determining whether the SPI in said datagram is recorded in the SPI - In field of one of said 
plurality of internal tables and, if said SPI is recorded in said SPI - In field of said internal 
table, modifying the destination IP address to be the internal IP address of said local 
device and passing said datagram to said LAN for routing and delivery to said local device, 

and if said SPI is not recorded in said SPI - In field of said internal table, determining 
whether said SPI - In field corresponding to the IP address of said external device is zero, 
and if said SPI - In field is not zero, discarding said datagram, 

and if said SPI - In field is equal to zero, modifying said SPI - In field to be said SPI, 
modifying said destination IP address to be said local IP address of said local device, and 
passing said datagram to said LAN for routing and delivery to said local device, 

and if said datagram is not encrypted, determining whether the destination port 
address for said datagram is included in said list of reserved port addresses, and if said 
destination port address is not included in said list of reserved port addresses, performing 
normal address translation and passing said datagram to said LAN for routing and delivery 
to said local device, 

and if said destination port address is included in said list of reserved port 



addresses, determining whether said destination port address is bound to said local IP 
address, and if said destination port is not bound to said local IP address, discarding said 
datagram, 

and if said destination port address is bound to said local IP address, modifying said 
destination IP address to be said local IP address of said local device, unbinding said 
destination port address from said local IP address, and passing said datagram to said 
LAN for routing and delivery to said local device] The network address translating gateway 
of claim 1 in which said external network is the internet . 

7. (Amended) [The method of processing IP datagrams as claimed in claim 

5, further comprising the steps of starting a timer whenever said destination port address 
becomes bound to said local IP address of said local device, 

resettling said timer whenever said destination port address has become released, 
and sending a signal whenever said timer is active and a predetermined length of 

time has expired from the time said timer was started] The network address translating 

gateway of claim 6 in which said LAN is a virtual private network . 

8. (Amended) [The method of processing IP datagrams as claimed in claim 

6, further comprising the steps of starting a timer whenever said destination port address 
becomes bound to said local IP address of said local device, 

resettling said timer whenever said destination port address has become released, 
and sending a signal whenever said timer is active and a predetermined length of 
time has expired from the time said timer was started] A method of processing IP 
datagrams from a local device on a LAN using local IP addresses through a network 
translating gateway to an external device on an external network comprising the steps of: 




maintaining a plurality of tables associating local IP addresses of local devices on 
said LAN, external IP addresses of external devices on said external network, port 
addresses of said local devices, port addresses of said external devices, SPI - In values, 
SPI - Out values, and reserved port addresses, and a list of reserved port addresses. 

receiving a datagram from said LAN 

determining whether the destination port address for said datagram is included in 
said table of reserved port addresses and, if said destination port address is not included 
in said table of reserved port addresses, performing normal address translation upon said 
datagram and passing said datagram to said external network for routing and delivery to 
said external device. 

and if said destination port address is included in said table of reserved port 
addresses, determining whether said destination port address is bound to an IP address, 
and if said destination port is bound to an IP address, performing normal address 
translation upon said datagram and passing said datagram to said external network for 
routing and delivery to said external device. 

and if said destination port address is not bound to an IP address, modifying said 
source IP address to be said external IP address for said external device, binding said 
destination port address to the local IP address of said local device and creating an 
association between said destination port address and said external IP address of said 
external device, and passing said datagram to said external network for routing and 
delivery to said external device . 

9. (Amended) [The method of processing IP datagrams as claimed in claim 
5, in which said external network is the internet] The method of claim 8, further comprising 



the steps of: 

determining whether said datagram is encrypted and, if said datagram is encrypted, 
determining whether the SPI in said datagram is recorded in the SPI - Out field of one of 
said plurality of internal tables and, if said SPI is recorded in said SPI - Out field of said 
internal table, modifying the source IP address to be the external IP address of said 
gateway and passing said datagram to said external network for routing and delivery to 
said external device, and if said SPI is not recorded in said SPI - Out field of said internal 
table, setting said SPI - Out field corresponding to the IP address of said external device 
equal to said SPI and setting the SPI - In field of said internal table to zero, modifying said 
source IP address to be said external IP address of said gateway, and passing said 
datagram to said external network for routing and delivery to said external device . 

10. (Amended) [The method of processing IP datagrams as claimed in claim 
6, in which said external network is the internet] A method of processing IP datagrams 
from an external device on an external network through a network translating gateway to 
a local device on a LAN using local IP addresses, comprising the steps of 

maintaining a plurality of tables associating local IP addresses of local 
devices on said LAN, external IP addresses of external devices on said external network, 
port addresses of said local devices, port addresses of said external devices. SPI - In 
values. SPI - Out values, and reserved port addresses, and a list of reserved port 
addresses. 

receiving a datagram from said external network 

determining whether said datagram is encrypted and if said datagram is not 
encrypted, determining whether the destination port address for said datagram is included 



in said list of reserved port addresses, and if said destination port address is not included 
in said list of reserved port addresses, performing normal address translation and passing 
said datagram to said LAN for routing and delivery to said local device, 

and if said destination port address is included in said list of reserved port 
addresses, determining whether said destination port address is bound to said local IP 
address, and if said destination port is not bound to said local IP address, discarding said 
datagram, 

and if said destination port address is bound to said local IP address, 
modifying said destination IP address to be said local IP address of said local device, 
unbinding said destination port address from said local IP address, and passing said 
datagram to said LAN for routing and delivery to said local device . 

1 1 . (Amended) [The method of processing IP datagrams as claimed in claim 
5 in which said LAN is a virtual private network] The method of claim 10. wherein the 
method further comprises the steps, if said datagram is encrypted, of: 

determining whether the SPI in said datagram is recorded in the SPI - In field of one 
of said plurality of internal tables and, if said SPI is recorded in said SPI - In field of said 
internal table, modifying the destination IP address to be the internal IP address of said 
local device and passing said datagram to said LAN for routing and delivery to said local 
device. 

and if said SPI is not recorded in said SPI - In field of said internal table, determining 
whether said SPI - In field corresponding to the IP address of said external device is zero, 
and if said SPI - In field is not zero, discarding said datagram. 

and if said SPI - In field is egual to zero, modifying said SPI - In field to be said SPI. 



modifying said destination IP address to be said local IP address of said local device, and 
passing said datagram to said LAN for routing and delivery to said local device . 

12. (Amended) [The method of processing IP datagrams as claimed in claim 
6 in which said LAN is a virtual private network] The method of processing IP datagrams 
as claimed in claim 11. further comprising the steps of starting a timer whenever said 
destination port address becomes bound to said local IP address of said local device, 

resettling said timer whenever said destination port address has become released, 
and sending a signal whenever said timer is active and a predetermined length of 
time has expired from the time said timer was started . 

1 3. (New) The method of processing I P datagrams as claimed in claim 1 2, further 
comprising the steps of starting a timer whenever said destination port address becomes 
bound to said local IP address of said local device, 

resettling said timer whenever said destination port address has become released, 
and sending a signal whenever said timer is active and a predetermined length of 
time has expired from the time said timer was started. 

14. (New) The method of processing IP datagrams as claimed in claim 11, in 
which said external network is the internet. 

15. (New) The method of processing IP datagrams as claimed in claim 12, in 
which said external network is the internet. 

16. (New) The method of processing IP datagrams as claimed in claim £MJJn 
which said LAN is a virtual private network. 

17. (New) The method of processing IP datagrams as claimed in claim 12 in 
which said LAN is a virtual private network. 
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18. (New) A machine readable storage, having stored thereon a computer 
program having a plurality of code sections executable by a machine and for connecting 
a LAN to an external network via a network address translating gateway, wherein said 
gateway having a local IP address that can be seen by devices on said LAN and having 
an external IP address that can be seen by devices on said external network, and further 
including a plurality of internal tables associating combinations of local IP addresses of 
local devices on said LAN, external IP addresses of external devices on said external 
network, source port addresses, destination port addresses, reserved port addresses, and 
a list of reserved port addresses, for assisting the machine to perform the steps of: 

attempting to deliver a datagram from a local device on said LAN to an external 
device on said external network by receiving a datagram from a local device on said LAN 
intended for delivery to an external device on said external network; 

determining whether the destination port address for said datagram is included in 
said list of reserved port addresses and determining whether said destination port address 
is bound to said local IP address of said local device; 

performing normal address translation upon said datagram and passing said 
datagram to said external network for routing and delivery to said external device if said 
destination port address is not included in said list of reserved port addresses; 

performing normal address translation upon said datagram and passing said 
datagram to said external network for routing and delivery to said external device, if said 
destination port address is included in said list of reserved port addresses and if said 
destination port address is bound to said local IP address; and 

modifying said source IP address of said datagram to be said external IP address 



* 



of said gateway, binding said destination port address to said local IP address of said local 
device and creating an association between said destination port address and the external 
IP address of said external device, and passing said datagram to said external network for 
routing and delivery to said external device if said destination port address is not bound to 
said local IP address of said local device. 



